From 906725fb9be8adef6ae6e52a255059549dfabed9 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Mon, 4 Dec 2023 11:50:24 +0100 Subject: [PATCH] try macvlan again --- hosts/fw.cloonar.com/modules/firewall.nix | 12 ++++++++---- hosts/fw.cloonar.com/modules/gitea.nix | 14 +++++++------- hosts/fw.cloonar.com/modules/networking.nix | 16 ++++++++-------- 3 files changed, 23 insertions(+), 19 deletions(-) diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index da111fd..6cfb104 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -126,6 +126,7 @@ # Allow trusted networks to access the router iifname { "wan", # disable when final + "server", "lan", "wg_cloonar" } counter accept @@ -133,6 +134,7 @@ # Allow networks to access the dns and dhcp iifname { "lan", + "server", "vb-*", "podman0", "infrastructure", @@ -142,6 +144,7 @@ } udp dport { 53, 67, 68 } counter accept iifname { "lan", + "server", "podman0", "vb-*", "infrastructure", @@ -172,11 +175,11 @@ # multimedia airplay iifname "multimedia" oifname { "lan" } counter accept - iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces" + # iifname { "vb-*" } oifname { "server" } counter accept comment "from internal interfaces" # lan and vpn to any # TODO: disable wan when finished - iifname { "wan", "lan", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept + iifname { "wan", "lan", "server", "vb-*", "podman0", "wg_cloonar" } oifname { "lan", "vb-*", "server", "podman0", "infrastructure", "multimedia", "smart", "wrwks", "wg_cloonar", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "infrastructure" } oifname { "podman0", "vb-omada" } counter accept # Allow trusted network WAN access @@ -184,6 +187,7 @@ "lan", "infrastructure", "vb-*", + "server" "podman0", "multimedia", "smart", @@ -200,14 +204,14 @@ } chain post { - iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" + # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" } # Setup NAT masquerading on external interfaces chain postrouting { type nat hook postrouting priority filter; policy accept; oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade - iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" + # iifname { "vb-*" } oifname { "server" } masquerade comment "from internal interfaces" } } ''; diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix index 09db17f..eb9279a 100644 --- a/hosts/fw.cloonar.com/modules/gitea.nix +++ b/hosts/fw.cloonar.com/modules/gitea.nix @@ -101,10 +101,10 @@ in extraFlags = [ "-U" ]; autoStart = true; ephemeral = true; - # macvlans = [ "vserver" ]; - privateNetwork = true; - hostBridge = "server"; - localAddress = "10.42.97.2"; + macvlans = [ "vserver" ]; + # privateNetwork = true; + # hostBridge = "server"; + # localAddress = "10.42.97.2"; bindMounts = { "/var/lib/gitea" = { hostPath = "/var/lib/gitea/"; @@ -120,9 +120,9 @@ in config = { lib, config, pkgs, ... }: { networking = { hostName = "gitea"; - interfaces.eth0 = { - useDHCP = true; - # ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ]; + # interfaces.eth0.useDHCP = true; + interfaces.mv-vserver = { + ipv4.addresses = [ { address = "10.42.97.2"; prefixLength = 24; } ]; }; # firewall = { # enable = true; diff --git a/hosts/fw.cloonar.com/modules/networking.nix b/hosts/fw.cloonar.com/modules/networking.nix index 4b6b08e..cb99ee7 100644 --- a/hosts/fw.cloonar.com/modules/networking.nix +++ b/hosts/fw.cloonar.com/modules/networking.nix @@ -47,15 +47,15 @@ interface = "enp5s0"; }; }; - # macvlans.server = { - # interface = "vserver"; - # mode = "bridge"; - # }; - bridges = { - server = { - interfaces = [ "vserver" ]; - }; + macvlans.server = { + interface = "vserver"; + mode = "bridge"; }; + # bridges = { + # server = { + # interfaces = [ "vserver" ]; + # }; + # }; interfaces = { # Don't request DHCP on the physical interfaces